From 85887fec19ef484cf00aba91982b2e65feee15aa Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Sun, 21 Jun 2026 11:39:14 -0700 Subject: [PATCH] wiki: cross-link uos-server <-> pfsense (unifi-wifi skill halves); add uos-server to index --- wiki/index.md | 1 + wiki/systems/uos-server.md | 30 ++++++++++++++++++++++++++++-- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/wiki/index.md b/wiki/index.md index 9fcc55a0..7af9144c 100644 --- a/wiki/index.md +++ b/wiki/index.md @@ -88,6 +88,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks. | [Uranus](systems/uranus.md) | 172.16.3.21 — Unraid secondary (Dell R730xd); OwnCloud archive storage only; formerly Saturn's IP (reused Apr 2026); RAM too low for VMs | 2026-05-24 | | [IX Web Hosting Server](systems/ix-server.md) | 172.16.3.10 / 72.194.62.5 — cPanel/WHM 134 on CloudLinux 9.7 (64-core Xeon, 4.4 T /home); **72 cPanel accounts / 185 domains / 101 WordPress** + ACG sites (radio Astro, Flarum community, Matomo analytics); GuruRMM-enrolled; SSH key auth from GURU-5070; behind Cloudflare tunnel `acg-origin`; **backups look unconfigured (gap)**. Live SSH inventory 2026-06-05 — full account→domain map in the article | 2026-06-05 | | [pfsense (ACG Gateway/Firewall)](systems/pfsense.md) | 172.16.0.1 (SSH :2248) — ACG office FreeBSD gateway/firewall + Tailscale subnet router. ALSO the home of the **fleet-wide pfSense management tooling** in the `unifi-wifi` skill: SSH backend (`pfsense-ssh.sh` + `pfsense-gwc.php`) that audits/controls ANY client pfSense — `audit`/`pf-*`/`fw-*`/`block-ips`, DRY-RUN default, cred `clients//pfsense-firewall`. Validated on Cascades (Plus 25.07) 2026-06-21 | 2026-06-21 | +| [UOS Server (UniFi OS Server)](systems/uos-server.md) | 172.16.3.29 (web/API :11443 via NPM, **not** 8443) — self-hosted UniFi OS controller (~49 sites), virsh "Unifi" VM on Jupiter; UniFi Network `ace` MongoDB in rootless podman; query via `.claude/scripts/uos-mongo.sh` (root SSH key `infrastructure/uos-server-ssh-key`). UniFi half of the `unifi-wifi` skill — pairs with [pfsense](systems/pfsense.md) at UniFi-behind-pfSense sites | 2026-06-21 | ## Patterns diff --git a/wiki/systems/uos-server.md b/wiki/systems/uos-server.md index 6f55255f..914d75e8 100644 --- a/wiki/systems/uos-server.md +++ b/wiki/systems/uos-server.md @@ -2,8 +2,15 @@ type: system name: uos-server display_name: UOS Server (UniFi OS Server) -last_compiled: 2026-06-15 -compiled_by: GURU-5070/claude-main +last_compiled: 2026-06-21 +compiled_by: HOWARD-HOME/claude-main +sources: + - session-logs/2026-06/2026-06-21-howard-unifi-pfsense-control-verbs.md +backlinks: + - systems/jupiter + - systems/pfsense + - clients/cascades-tucson + - clients/internal-infrastructure --- # UOS Server (UniFi OS Server) @@ -78,6 +85,25 @@ There is **no mongo client on the guest host**; the shell is `/usr/bin/mongo` *i - **`rogue`** — neighbor/over-the-air BSSIDs seen by APs. **Not ACG gear** — a MAC hit here is someone else's WiFi, ignore it for device hunts. - **Pending/unadopted devices:** the controller only persists a discovered device into `device` with `adopted:false`. If `db.device.count({adopted:false})` is `0`, there are **no** pending devices controller-wide — an "unadopted" device that returns nothing here simply has not reached this controller (not on a network it can discover, or managed by a different console). The cloud API and integration API show adopted gear only, so they cannot find it either; locating it then needs L2/DHCP/ARP on the gateway of the site it is physically cabled to. +## Related tooling — pfSense gateway layer (works together) + +This UOS controller and the **pfSense gateway tooling** are the two halves of the **`unifi-wifi` +skill**, and they're designed to be used together at a single site: + +- **This UOS server** = the UniFi side — APs/switches/clients across ~49 sites, queried via the + Mongo path above (and the `gw-audit`/`gw-control` verbs for UniFi *gateways*). +- **[[pfsense]]** = the gateway side — when a site's gateway is a pfSense (not a UniFi USG/UXG/UCG), + the same `gw-audit`/`gw-control` verbs auto-dispatch to the pfSense SSH backend + (`pfsense-ssh.sh` + `pfsense-gwc.php`, cred `clients//pfsense-firewall`). + +A very common ACG topology is **UniFi APs/switches on this controller behind a pfSense gateway** — +e.g. [[cascades-tucson]] and the ACG office itself. At such a site you drive WiFi/switch work +through this UOS Mongo path and gateway work (WAN/firewall/port-forwards/blocking) through the +pfSense backend; `gw-audit ` covers both because it reports `num_gw=0` (no UniFi gateway) and +then runs the pfSense audit. So one skill spans the whole site regardless of gateway vendor. + ## Backlinks - [[jupiter]] — hypervisor (virsh "Unifi" VM) + NPM (`172.16.3.20:7818`, the `:11443` proxy). - [[internal-infrastructure]] — ACG internal infra index. +- [[pfsense]] — the gateway half of the `unifi-wifi` skill (pfSense SSH backend); pairs with this UOS controller. +- [[cascades-tucson]] — example UniFi-on-UOS-behind-pfSense site (the pfSense backend was validated there).